FTC Investigating Privacy Risks of Digital Copiers

By Chris Preimesberger  |  Posted 2010-05-18 Print this article Print

UPDATED: Beyond simply mailing educational material to businesses, the FTC is now looking deeper into the problem of personal documents retained in public copiers and is working with industry manufacturers and service vendors to close off worrisome security gaps in this sector.

Each time you use a digital copier, you may be storing documents or photos into a hard drive that potentially can be accessed by identity thieves who can use the information for criminal financial gain.

A 2008 survey on copier security commissioned by copier manufacturer Sharp found 60 percent of Americans don't know that copiers store images on a hard drive, so this is indeed a serious and widespread problem.

Sen. Edward Markey (D-Mass.), who voiced concern about this issue in a letter to the Federal Trade Commission (PDF) last month, said May 18 that the FTC is now looking deeper into this problem and is working with industry manufacturers and service vendors to close off worrisome security gaps in this sector.

In a response released by Markey's office May 18, FTC Commissioner Jon Leibowitz said that his agency is well aware of this issue and has distributed "business education material instructing businesses to dispose of hard drives containing customer information securely."

However, now the FTC will be taking more direct action than simply sending educational material to businesses, Leibowitz said.

"The FTC is now reaching out to copier manufacturers, resellers and retail copy and office supply stores to ensure they are aware of the privacy laws associated with digital copiers ... and to determine whether they are providing options for secure copying," Leibowitz wrote.

It is certainly a problem that a great deal of personal information is being stored -- and not able to be erased by customers -- on both private and public machines every day. However, a larger issue is that when these often-leased copiers are resold, the data residing on them often isn't deleted and simply moves into the hands of a new owner.

Markey, in his letter to Leibowitz, cited a March 19 CBS News report that brought this issue into fine resolution.

"Nearly every copy machine manufactured since 2002 contains a digital hard drive that functions like a computer hard drive, storing an image of every document, scanned, copied or e-mailed by the copy machine," Markey said. "These machines often are leased and subsequently returned after the lease period for further usage by other individuals or companies.

'Many copier drives not wiped clean'

"Many copier hard drives are not wiped clean of the documents stored on them after they are returned or otherwise disposed of, allowing individuals -- including identity thieves and other criminals -- to access the sensitive and private information and use it to commit identity theft or other crimes."

The CBS News report by investigative reporter Armen Keteyian was eye-opening, to say the least. Keteyian visited a warehouse in New Jersey -- one of 25 across the country -- to see how hard it would be to buy a used copier loaded with documents. Keteyian found that it is "pretty easy."

On copiers that were reselling for as low as $300, documents still intact in hard drives included law enforcement information details about domestic violence complaints, a list of wanted sex offenders, and a list of targets in a major drug raid.

On another machine, recycled from a New York construction company, Keteyian found design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

On yet another machine, which had belonged to a New York-based insurance company, there were 300 pages of individual medical records -- including drug prescriptions, blood test results and a cancer diagnosis. This is a potentially serious breach of federal privacy law, CBS said.

Fedex Office has updated its retail copiers

FedEx Office, which has 1,800 locations in North America and is the nation's largest retailer of copy services, is aware of this and has specific policies to mitigate the problem.

"FedEx Office takes information security very seriously," FedEx Office Acting Manager of Marketplace and Interactive Communications Sonya Thorpe wrote in an e-mail to eWEEK.

"We have a dedicated team that regularly evaluates and implements security measures for our business, and we have a strict confidentiality policy in place and related training for our team members. Our digital copy machines have built-in security options to prevent subsequent retrieval of copies, so images (or scans) are erased from the hard drives of these devices.

"In addition, the equipment suppliers we work with have procedures and requirements that safeguard customer data, and our agreements with them contain language on confidentiality. With technology constantly evolving, we continuously follow the latest trends and work to improve all our safety and security measures."

Editor's note: This story has been updated to clarify FedEx Office's policy on handling data stored on its copier hard drives.

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel